The 2021 Webroot BrightCloud® Threat Report: 54% of Phishing Sites use HTTPS to Trick Users

  • 20 April 2021
  • 3 replies
The 2021 Webroot BrightCloud® Threat Report: 54% of Phishing Sites use HTTPS to Trick Users
Userlevel 7
Badge +48
  • Community and Advocacy Manager
  • 1694 replies

The latest Webroot BrightCloud®️ Threat Report is here, and our findings show that cybercriminals are as creative and hardworking as ever. Although 2020 brought countless challenges for businesses and individuals all over the world, it seems to have offered cybercriminals new avenues to scam internet users, steal data, and cause disruption.

But the criminals weren’t the only ones hard at work. Cybersecurity analysts have been clocking overtime to identify and neutralize new threat tactics as quickly as they appear. Operating systems and web browsers are making effective improvements to their built-in security. Security awareness training for employees continues to improve security postures. Nations and companies are working together to break down cybercriminal infrastructure.


Here are some of the highlights from the report

Criminals targeted COVID-19 topics like it was their job (because it kind of is…)



Most of the malicious spam (malspam) emails we’ve seen have used COVID-related phishing lures. The most common lures involved guidelines on how to protect yourself from COVID-19, typically pretending to be from reputable organizations like the CDC, WHO, or even the White House. There were also many lures claiming to offer details on pandemic stimulus money and vaccines.

  • Between February and March, our data showed a 2000% spike in malicious files with ‘zoom’ in their filenames.
  • Phishing jumped 510% from January to February 2020 alone.
  • In March 2020, these services saw massive increases in phishing activity:
    • YouTube: 3,064%
    • HBO: 525%
    • Twitch: 337%
  • From March to July, during the initial lockdown phase in the U.S., phishing URLs targeting Netflix jumped 646%.


Ransomware developments made headlines and broke records


It was truly an astonishing year for ransomware, largely due to growing ransom payment amounts and the newer trend of data extortion.

  • By September 2020, the average ransom payment peaked at $233,817.
  • The attackers who hit Foxconn demanded ~1804 Bitcoin ($34 million at the time) to prevent the stolen data from being disclosed.
  • Malicious actors infected Garmin’s systems with ransomware and demanded (and reportedly received) $10 million to destroy the stolen data.
  • Attackers who infected travel management firm CWT demanded $10 million in ransom (they ultimately received $4.5 million.)


Business email compromise (BEC) is still a big deal, and it got worse with WFH

This type of scam targets commercial, government, and nonprofit organizations by fraudulently representing a senior colleague, IT team member, or a trusted customer. The email typically contains instructions to send money (especially via wire transfer), provide credentials, or release client data. BEC relies heavily on the inherent trust of employees in their members of management, fellow employees, and valued customers.

  • According to the FBI, the Internet Crime Complaint Center (IC3) got 19,369 BEC complaints in 2020.
  • The adjusted losses from BEC attacks reported to IC3 in 2020 were $1.8 billion USD!


Browser-based cryptojacking is dying off, but executable-based mining is on the rise


Unlike browser-based cryptojacking, executable-based cryptojacking can be done on any device that has a processor and an internet connection, including many Internet of Things (IoT) devices, such as routers and smart TVs. Typically, people are unaware that their computers, servers, IoT devices, or other systems are running the malicious executable and have no idea their resources are being used without their consent. If a victim notices the effect of the mining, it’s more likely because their systems slow down and their power bills skyrocket; otherwise, the CPU usage scaling can effectively conceal the compromise.

  • 1.4 million URLs still host cryptojacking scripts. Of these, about half are hosting defunct Coinhive code.

“The number of sites continuing to host defunct malicious code and outdated, highly vulnerable plugins indicates how many website and domain owners do not adequately audit the code they host.” – Cathy Yang, Lead Product Manager


Malware is trending down for now, but threats still abound

  • 86% of malware is unique to a single PC.
  • Attackers are pivoting to exploit Living off the Land Binaries (“LolBins”), which are applications that are already built into Windows®️ operating systems by default, so they rely less on malware.
  • Approximately 1 in 10 malicious sites is hosted on a benign domain.

Learn more about our findings and discover our predictions for the year to come in the full report


3 replies


i wish i went to  MIT ,so i could better  understand the   language.


I like what you are reporting, I hope my computer is protected well with your Internet Security Plus. Just wish I had a better understanding.

Why do I have to submit my details again to download the full report..?  I am a Webroot reseller we are all clearly registered and already logged in to Webroot’s portal - so why register again..?

Surely the report should be available to download directly from this site..?